<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "DTD/xhtml1-strict.dtd">
<html>
  <head>
    <title>volatility.plugins.malware.malfind : API documentation</title>
    <meta content="text/html;charset=utf-8" http-equiv="Content-Type" />
    <link href="apidocs.css" type="text/css" rel="stylesheet" />
    
    
  </head>
  <body>
    <h1 class="module">v.p.m.malfind : module documentation</h1>
    <p>
      <span id="part">Part of <a href="volatility.html">volatility</a>.<a href="volatility.plugins.html">plugins</a>.<a href="volatility.plugins.malware.html">malware</a></span>
      
      
    </p>
    <div>
      
    </div>
    <div class="undocumented">No module docstring</div>

    
    
    <div id="splitTables">
      <table class="children sortable" id="id214">
  
  
<tr class="class">
    
    
    <td>Class</td>
    <td><a href="volatility.plugins.malware.malfind.MalwareEPROCESS.html">MalwareEPROCESS</a></td>
    <td><span>Extension of the default EPROCESS with some helpers</span></td>
  </tr><tr class="class">
    
    
    <td>Class</td>
    <td><a href="volatility.plugins.malware.malfind.MalwareObjectClasesXP.html">MalwareObjectClasesXP</a></td>
    <td><span class="undocumented">Undocumented</span></td>
  </tr><tr class="function">
    
    
    <td>Function</td>
    <td><a href="volatility.plugins.malware.malfind.html#Disassemble">Disassemble</a></td>
    <td><span>Dissassemble code with distorm3.</span></td>
  </tr><tr class="class">
    
    
    <td>Class</td>
    <td><a href="volatility.plugins.malware.malfind.BaseYaraScanner.html">BaseYaraScanner</a></td>
    <td><span>An address space scanner for Yara signatures.</span></td>
  </tr><tr class="class">
    
    
    <td>Class</td>
    <td><a href="volatility.plugins.malware.malfind.VadYaraScanner.html">VadYaraScanner</a></td>
    <td><span>A scanner over all memory regions of a process.</span></td>
  </tr><tr class="class">
    
    
    <td>Class</td>
    <td><a href="volatility.plugins.malware.malfind.DiscontigYaraScanner.html">DiscontigYaraScanner</a></td>
    <td><span>A Scanner for Discontiguous scanning.</span></td>
  </tr><tr class="class">
    
    
    <td>Class</td>
    <td><a href="volatility.plugins.malware.malfind.YaraScan.html">YaraScan</a></td>
    <td><span>Scan process or kernel memory with Yara signatures</span></td>
  </tr><tr class="class">
    
    
    <td>Class</td>
    <td><a href="volatility.plugins.malware.malfind.Malfind.html">Malfind</a></td>
    <td><span>Find hidden and injected code</span></td>
  </tr><tr class="class">
    
    
    <td>Class</td>
    <td><a href="volatility.plugins.malware.malfind.LdrModules.html">LdrModules</a></td>
    <td><span>Detect unlinked DLLs</span></td>
  </tr>
  
</table>
      
      
    </div>
    
    
    

    <div class="function">
  <a name="volatility.plugins.malware.malfind.Disassemble">
    
  </a>
  <a name="Disassemble">
    
  </a>
  <div class="functionHeader">
    
    def
    Disassemble(data, start, bits='32bit', stoponret=False):
    
  </div>
  <div class="functionBody">
    
    <div>Dissassemble code with distorm3.</p>
<p>&#64;param data: python byte str to decode
&#64;param start: address where <code>data</code> is found in memory
&#64;param bits: use 32bit or 64bit decoding
&#64;param stoponret: stop disasm when function end is reached</p>
<p>&#64;returns: tuple of (offset, instruction, hex bytes)<table class="fieldTable"></table></div>
  </div>
</div>
    <address>
      <a href="index.html">API Documentation</a> for Volatility 2.2, generated by <a href="http://codespeak.net/~mwh/pydoctor/">pydoctor</a> at 2013-06-24 15:16:10.
    </address>
  </body>
</html>